Firewall Wizards mailing list archives
Re: Transparent vs. Non-transparent AGs/SPFs/whatever
From: Bill_Royds () pch gc ca
Date: Fri, 25 Sep 1998 11:30:09 -0400
That doesn't reall answer the question I asked. Sure, if I know ahead of time that my user wants to telnet to port 2300, I can configure my firewall to route traffic with a destination port of 2300 through my telnet proxy app, no problem. But What if I don't know ahead of time what port people will be telnetting to? (this is assuming I want to proxy more than 1 protocol... if I'm only allowing telnet out, then the telnet proxy could handle everything.) And what if a different one of my users want to do HTTP to port 2300 on a different host on the Internet? (Again, the assumtion is that the telnet proxy is smart enough to know that HTTP doesn't look like a proper telnet... if a telnet proxy lets HTTP through think that it's just a weird telnet session, then that's just another circuit-level proxy as far as I'm concerned.) Ryan P.S. BTW, I think I probably already know the answer to this thread Ive started, I'm just hoping I'm wrong. The Raptor firewall has some support for this. It can't determine the proxy needed from the stream content, but rules can be set up as use http for port 2300 to foo1.com use telnet for port 2300 to foo2.com called redirect services. THis is deterministic and generally maintains the security policy, but it does leave some room for spoofing protocols.
AG's run transparently if they are are the one the pip between protected network (inside) and unprotected Internet (outside). All default routes of inside network, whether default gateway or router defaults point to inside NIC of firewall. For your example, thee firewall rules then say if that if any traffic
comes
in from inside NIC for port 2300 it will be proxied as telnet. No other service will be allowed on port 2300. Similarily for external traffic. Since there are 2 sessions on firewall
for
each connection (from inside to firewall, from firewall to external server), you can even change the port on the way through or even change
the
protocol (always change ftp to ftp-PASV running under http). You are not restricted to carrying the same packets on each side of the firewall.
Attachment:
att1.eml
Description:
Current thread:
- Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 23)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)
- Re: why isn't there a newer linux fw-howto Stefan Laudat (Sep 25)
- Re: why isn't there a newer linux fw-howto Kevin Steves (Sep 29)
- RE: why isn't there a newer linux fw-howto Andy Burns (Sep 30)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Woody Weaver (Sep 25)
- <Possible follow-ups>
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 24)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Bill_Royds (Sep 25)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Stephen P. Gibbons (Sep 29)
- Re: Transparent vs. Non-transparent AGs/SPFs/whatever Ryan Russell (Sep 29)
- why isn't there a newer linux fw-howto Bárány Sándor (Sep 24)